2014-11-18, 05:49 AM
Greetings,
I am the new tech for http://forum.thedumpload.net (I'm the guy behind the daft punk and percussive maintenance downtime pages for the curious
) and it is getting utterly pounded, After talking in #mybb, I've implemented the ACP PIN and am ensuring admins log off after finishing work on the ACP, but it still appears to be a pretty bad security issue. I also have made the admin directory password protected on the directory level. Since I believe a site-level cookie thing, directory level protection may subvert it, but only time will tell.
Basically, they're able to get into admin accounts directly on the ACP and start doing whatever they want on it into someone bans them - My first thought was SQL but I guess XSS would make more sense.
They are using TOR exit nodes - Spamming firewall on the IP they are using probably won't help you much
I'd advise anyone affected by these guys enact the following(special thanks to Darth-Apple):
Heres the plugins we are running: Flags, shoutbox, google SEO, google analytics, my profile, show users online today, recent threads, social sites, view unread posts
I'm honestly not too sure on how to handle this outside of the measures taken above, which is basically just hotfixes to try and prevent it from happening.
If MyBB staff wants to run some omega-log-everything plugin(supposively one exists?) to see whats going on, I'd be open to it, shoot me a PM
-tails
I am the new tech for http://forum.thedumpload.net (I'm the guy behind the daft punk and percussive maintenance downtime pages for the curious
) and it is getting utterly pounded, After talking in #mybb, I've implemented the ACP PIN and am ensuring admins log off after finishing work on the ACP, but it still appears to be a pretty bad security issue. I also have made the admin directory password protected on the directory level. Since I believe a site-level cookie thing, directory level protection may subvert it, but only time will tell.Basically, they're able to get into admin accounts directly on the ACP and start doing whatever they want on it into someone bans them - My first thought was SQL but I guess XSS would make more sense.
They are using TOR exit nodes - Spamming firewall on the IP they are using probably won't help you much
I'd advise anyone affected by these guys enact the following(special thanks to Darth-Apple):
- Change admin directory from admin to something custom, this won't do a whole lot but itle help. You can change where the default admin directory is in config.php then simply rename it via FTP
- make sure admins log out when done using ACP - I can not stress this enough
- Password protect the directory via CPanel - This will hopefully do the trick, but only time will tell.
- Enact admin PIN - Won't do a whole lot like changing admin directory, but itle help.
- do /not/ give out the PIN/directory pass on the forum itself, it may be compromised (see below)
- You can advise users to change passes, but definately make sure all admins/mods change passwords.
Heres the plugins we are running: Flags, shoutbox, google SEO, google analytics, my profile, show users online today, recent threads, social sites, view unread posts
I'm honestly not too sure on how to handle this outside of the measures taken above, which is basically just hotfixes to try and prevent it from happening.
If MyBB staff wants to run some omega-log-everything plugin(supposively one exists?) to see whats going on, I'd be open to it, shoot me a PM
-tails